Managing Zones (Task Map)

The following task map describes zone management tasks that are specific to
Trusted Extensions. The map also points to common procedures that are performed
in Trusted Extensions just as they are performed on an Oracle Solaris
system.

How to Display the Labels of Mounted Files

This procedure creates a shell script that displays the mounted file systems
of the current zone. When run from the global zone, the script
displays the labels of all mounted file systems in every zone.

Example 10-2 Displaying the Labels of File Systems in the restricted Zone

When run from a labeled zone by a regular user, the getmounts
script displays the labels of all the mounted file systems in that
zone. On a system where zones are created for every label in
the default label_encodings file, the following is the output from the restricted zone:

Note - Certain files are not used by the system, so that loopback mounting
them has no effect. For example, the /etc/dfs/dfstab file in a labeled
zone is not checked by Trusted Extensions software. For more information, see
Sharing Files From a Labeled Zone.

Start the zone.

# zoneadm -z zone-name boot

Example 10-3 Loopback Mounting the /etc/passwd file

In this example, the security administrator wants to enable testers and programmers
to check that their local passwords are set. After the sandbox zone
is halted, it is configured to loopback mount the passwd file. Then, the
zone is restarted.

How to Disable the Mounting of Lower-Level Files

By default, users can view lower-level files. Remove the net_mac_aware privilege to
prevent the viewing of all lower-level files from a particular zone. For
a description of the net_mac_aware privilege, see the privileges(5) man page.

Before You Begin

You must be in the System Administrator role in the global zone.

Halt the zone whose configuration you want to change.

# zoneadm -z zone-name halt

Configure the zone to prevent the viewing of lower-level files.

Remove the net_mac_aware privilege from the zone.

# zonecfg -z zone-name
set limitpriv=default,!net_mac_aware
exit

Restart the zone.

# zoneadm -z zone-name boot

Example 10-4 Preventing Users From Viewing Lower-Level Files

In this example, the security administrator wants to prevent users on one
system from being confused. Therefore, users can only view files at the
label at which the users are working. So, the security administrator prevents
the viewing of all lower-level files. On this system, users cannot see publicly
available files unless they are working at the PUBLIC label. Also, users
can only NFS mount files at the label of the zones.

Because PUBLIC is the lowest label, the security administrator does not run
the commands for the PUBLIC zone.

How to Share a ZFS Dataset From a Labeled Zone

In this procedure, you mount a ZFS dataset with read/write permissions in
a labeled zone. Because all commands are executed in the global zone,
the global zone administrator controls the addition of ZFS datasets to labeled
zones.

At a minimum, the labeled zone must be in the ready state
to share a dataset. The zone can be in the running
state.

Before You Begin

To configure the zone with the dataset, you first halt the zone.

Create the ZFS dataset.

# zfs create datasetdir/subdir

The name of the dataset can include a directory, such as zone/data.

In the global zone, halt the labeled zone.

# zoneadm -z labeled-zone-name halt

Set the mount point of the dataset.

# zfs set mountpoint=legacy datasetdir/subdir

Setting the ZFS mountpoint property sets the label of the mount point
when the mount point corresponds to a labeled zone.

By adding the dataset as a file system, the dataset is mounted
at /data in the zone before the dfstab file is interpreted. This
step ensures that the dataset is not mounted before the zone is booted.
Specifically, the zone boots, the dataset is mounted, then the dfstab file
is interpreted.

Share the dataset.

Add an entry for the dataset file system to the /zone/labeled-zone-name/etc/dfs/dfstab file.
This entry also uses the /subdir pathname.

share -F nfs -d "dataset-comment" /subdir

Boot the labeled zone.

# zoneadm -z labeled-zone-name boot

When the zone is booted, the dataset is mounted automatically as a
read/write mount point in the labeled-zone-name zone with the label of the
labeled-zone-name zone.

Example 10-5 Sharing and Mounting a ZFS Dataset From Labeled Zones

In this example, the administrator adds a ZFS dataset to the needtoknow
zone and shares the dataset. The dataset, zone/data, is currently assigned to
the /mnt mount point. Users in the restricted zone can view the dataset.

First, the administrator halts the zone.

# zoneadm -z needtoknow halt

Because the dataset is currently assigned to a different mount point, the
administrator removes the previous assignment, then sets the new mount point.

# zfs set zoned=off zone/data
# zfs set mountpoint=legacy zone/data

Next, in the zonecfg interactive interface, the administrator explicitly adds the dataset
to the needtoknow zone.

Users in the the restricted zone, which dominates the needtoknow zone, can
view the mounted dataset by changing to the /data directory. They use
the full path to the mounted dataset from the perspective of the global
zone. In this example, machine1 is the host name of the system
that includes the labeled zone. The administrator assigned this host name to
a non-shared IP address.

# cd /net/machine1/zone/needtoknow/root/data

Troubleshooting

If the attempt to reach the dataset from the higher label returns
the error not found or No such file or directory, the administrator must restart the automounter service
by running the svcadm restart autofs command.

How to Enable Files to be Relabeled From a Labeled Zone

This procedure is a prerequisite for a user to be able to
relabel files.

Before You Begin

You must be in the Security Administrator role in the global zone.

Halt the zone whose configuration you want to change.

# zoneadm -z zone-name halt

Configure the zone to enable relabeling.

Add the appropriate privileges to the zone. The windows privileges enable users
to use drag-and-drop and cut-and-paste operations.

To enable downgrades, add the file_downgrade_sl privilege to the zone.

In this example, the security administrator wants to enable authorized users on
a system to upgrade files. By enabling users to upgrade information, the
administrator enables them to protect the information at a higher level of
security. In the global zone, the administrator runs the following zone administration commands.

Authorized users can now upgrade internal information to restricted from the internal
zone.

Example 10-7 Enabling Downgrades From the restricted Zone

In this example, the security administrator wants to enable authorized users on
a system to downgrade files. Because the administrator does not add windows
privileges to the zone, authorized users cannot use the File Manager to
relabel files. To relabel files, users use the setlabel command.

By enabling users to downgrade information, the administrator permits users at a
lower level of security to access the files. In the global zone,
the administrator runs the following zone administration commands.

How to Create a Multilevel Port for a Zone

This procedure is used when an application that runs in a labeled
zone requires a multilevel port (MLP) to communicate with the zone. In
this procedure, a web proxy communicates with the zone. The Solaris Management Console
is used to add the MLP.